Some posts on ActiveDir.org mailing list reminds me about a topic I discussed some time ago with few peoples regarding using .local DNS suffix in AD domain environment. In fact there is nothing wrong with this particular suffix, it can be used and it is widely used in examples, and as far as I know it is default suffix proposed for SBS installation .. but, yes, there's always something :).

The problem starts when You have not pure Windows (server and clients) environment but when You have also Linux or MacOS X clients which You want to connect to Your domain or which have to use domain resources. It may happen with Linux and AFAIK (I'm not very familiar with MacOS) it is deafult for MacOS X that they support multicast DNS specification, which specifies what follows:

This document proposes that the DNS top-level domain ".local." be designated a special domain with special semantics, namely that any fully-qualified name ending in ".local." is link-local, and names within this domain are meaningful only on the link where they originate.

(…)

Any DNS query for a name ending with ".local." MUST be sent to the mDNS multicast address (224.0.0.251 or its IPv6 equivalent FF02::FB).

So here we have our problem – how our non-Windows client can identify and locate AD domain which uses .local suffix if they will forward all queries to multicast address. This causes problem with authentication, locating resources etc. in the AD domain environment for non-Windows clients. How we can solve this problem:

First, if we are aware of this problem at the domain promotion stage, don't use .local suffix for your AD domain. Use .private or something like that instead.

For MacOS X clients You can use this tip to configure them to use also unicast DNS queries. Here is another very good description how to fix this problem for Mac OS X. Probably there is also such configuration for Linux clients, I should check it in future.

And that's my .02USD about this issue, I think that this should be reflected in documents describing AD and DNS implementation for Windows platform and should be also corrected in any place when it is used by default (SBS world – am I right that this is default proposed suffix?), but this is far beyond my reach to make these changes.

Meta

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user.

Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.